Release: develop -> main (#2927)

* fix(security): disable unused urlencoded parser and patch CVE-2024-45590 & CVE-2025-15284 (#2925)

- Add body-parser 1.20.3 override to fix CVE-2024-45590 (DoS via deep nesting)
- Add qs ^6.14.1 override to fix CVE-2025-15284 (arrayLimit bypass)
- Disable automatic bodyParser in NestFactory.create() to remove unused urlencoded attack surface

Closes #2921

* [DEV-3526] Add automatic liquidity pipeline for ref payouts (#2672)

* feat(ref-reward): Add automatic liquidity pipeline for ref payouts

When ref reward payouts lack sufficient liquidity, automatically trigger
the LiquidityManagement pipeline (similar to BuyCrypto).

Changes:
- Add liquidityPipeline relation to RefReward entity
- Extend secureLiquidity() to check available liquidity
- Start pipeline via liquidityService.buyLiquidity() when deficit detected
- Set status to PENDING_LIQUIDITY before pipeline attempt (consistent with BuyCrypto)
- Process pending rewards when pipeline completes
- Reset to PREPARED on pipeline failure for automatic retry

Flow:
PREPARED → [liquidity check] → PENDING_LIQUIDITY → [pipeline complete] → READY_FOR_PAYOUT

* refactor: improve consistency of liquidity pipeline implementation

- Add pendingLiquidity() and resetToPrepared() entity methods to RefReward
  (consistent with existing entity method pattern like readyToPayout(), payingOut())
- Consolidate DB queries: load all rewards in single query instead of 3 separate
- Fix error handling: try/catch per individual reward instead of per asset group
  (consistent with ref-reward-out.service.ts pattern)
- Atomize pipeline updates: create pipeline first, then update rewards
  (avoids inconsistent state where rewards are PENDING_LIQUIDITY without pipeline)
- Remove misleading 'consistent with BuyCrypto' comment

* fix: change log level to warn for unexpected state

Rewards in PENDING_LIQUIDITY without pipeline should never occur
with atomic updates. This indicates legacy data or DB issues.

* feat: refactoring

* feat: added migration

---------

Co-authored-by: David May <david.leo.may@gmail.com>

* fix: exclude pending deposits from Kraken toKraken balance calculation (#2929)

Kraken deposits with status='pending' (On Hold) were incorrectly being
counted as "arrived" in the toKraken pending balance calculation. This
caused the balance to show ~117k CHF less than actual, because:

- 50k CHF On Hold
- 30k CHF On Hold
- 40k EUR On Hold (~37k CHF)

These deposits have not yet been credited to the Kraken account and
should not be subtracted from the pending-to-Kraken amount.

Add status !== 'pending' filter to both CHF and EUR receiver exchange_tx
filters in getFinancialDataLog().

* fix: prioritize user-provided refundTarget over pre-filled value (#2928)

When processing refunds, user input (dto.refundTarget) should take priority
over the pre-filled value (refundData.refundTarget). This allows customers
to override the original IBAN when it's a Multi-Account IBAN that cannot
be used for refunds.

Changed:
- BankTxReturn refund: dto.refundTarget ?? refundData.refundTarget
- BuyCrypto bank refund: dto.refundTarget ?? refundData.refundTarget

Previously the logic was reversed, ignoring user-provided values when
the backend had a pre-filled refundTarget.

---------

Co-authored-by: bernd2022 <104787072+bernd2022@users.noreply.github.com>
Co-authored-by: TaprootFreak <142087526+TaprootFreak@users.noreply.github.com>
Co-authored-by: David May <david.leo.may@gmail.com>

Author: 3 people

migration/1768325447128-RefRewardLiqPipeline.js

@@ -0,0 +1,28 @@
+/**
+ * @typedef {import('typeorm').MigrationInterface} MigrationInterface
+ * @typedef {import('typeorm').QueryRunner} QueryRunner
+ */
+
+/**
+ * @class
+ * @implements {MigrationInterface}
+ */
+module.exports = class RefRewardLiqPipeline1768325447128 {
+    name = 'RefRewardLiqPipeline1768325447128'
+
+    /**
+     * @param {QueryRunner} queryRunner
+     */
+    async up(queryRunner) {
+        await queryRunner.query(`ALTER TABLE "ref_reward" ADD "liquidityPipelineId" int`);
+        await queryRunner.query(`ALTER TABLE "ref_reward" ADD CONSTRAINT "FK_0bdf973ad618dffd7a7c6c53dc8" FOREIGN KEY ("liquidityPipelineId") REFERENCES "liquidity_management_pipeline"("id") ON DELETE NO ACTION ON UPDATE NO ACTION`);
+    }
+
+    /**
+     * @param {QueryRunner} queryRunner
+     */
+    async down(queryRunner) {
+        await queryRunner.query(`ALTER TABLE "ref_reward" DROP CONSTRAINT "FK_0bdf973ad618dffd7a7c6c53dc8"`);
+        await queryRunner.query(`ALTER TABLE "ref_reward" DROP COLUMN "liquidityPipelineId"`);
+    }
+}

package-lock.json

@@ -181,6 +181,8 @@
     "forceExit": true
   },
   "overrides": {
+    "body-parser": "1.20.3",
+    "qs": "^6.14.1",
     "request": {
       "form-data": "2.5.5"
     },

package.json

@@ -42,7 +42,7 @@ async function bootstrap() {
     AppInsights.start();
   }
 
-  const app = await NestFactory.create(AppModule);
+  const app = await NestFactory.create(AppModule, { bodyParser: false });
 
   app.use(morgan('dev'));
   app.use(helmet());

src/main.ts

@@ -447,7 +447,7 @@ export class TransactionController {
       if (!dto.creditorData) throw new BadRequestException('Creditor data is required for bank refunds');
 
       return this.bankTxReturnService.refundBankTx(transaction.targetEntity, {
-        refundIban: refundData.refundTarget ?? dto.refundTarget,
+        refundIban: dto.refundTarget ?? refundData.refundTarget,
         chargebackCurrency,
         creditorData: dto.creditorData,
         ...refundDto,
@@ -476,7 +476,7 @@ export class TransactionController {
     if (!dto.creditorData) throw new BadRequestException('Creditor data is required for bank refunds');
 
     return this.buyCryptoService.refundBankTx(transaction.targetEntity, {
-      refundIban: refundData.refundTarget ?? dto.refundTarget,
+      refundIban: dto.refundTarget ?? refundData.refundTarget,
       chargebackCurrency,
       creditorData: dto.creditorData,
       ...refundDto,

src/subdomains/core/history/controllers/transaction.controller.ts

@@ -1,6 +1,7 @@
 import { IEntity } from 'src/shared/models/entity';
 import { Column, Entity, Index, JoinTable, ManyToOne, OneToMany } from 'typeorm';
 import { BuyCrypto } from '../../buy-crypto/process/entities/buy-crypto.entity';
+import { RefReward } from '../../referral/reward/ref-reward.entity';
 import {
   LiquidityManagementExchanges,
   LiquidityManagementOrderStatus,
@@ -28,6 +29,9 @@ export class LiquidityManagementPipeline extends IEntity {
   @OneToMany(() => BuyCrypto, (buyCrypto) => buyCrypto.liquidityPipeline)
   buyCryptos: BuyCrypto[];
 
+  @OneToMany(() => RefReward, (refReward) => refReward.liquidityPipeline)
+  refRewards: RefReward[];
+
   @OneToMany(() => LiquidityManagementOrder, (orders) => orders.pipeline)
   orders: LiquidityManagementOrder[];
 

src/subdomains/core/liquidity-management/entities/liquidity-management-pipeline.entity.ts

@@ -2,6 +2,7 @@ import { forwardRef, Module } from '@nestjs/common';
 import { TypeOrmModule } from '@nestjs/typeorm';
 import { BlockchainModule } from 'src/integration/blockchain/blockchain.module';
 import { SharedModule } from 'src/shared/shared.module';
+import { LiquidityManagementModule } from 'src/subdomains/core/liquidity-management/liquidity-management.module';
 import { UserModule } from 'src/subdomains/generic/user/user.module';
 import { DexModule } from 'src/subdomains/supporting/dex/dex.module';
 import { NotificationModule } from 'src/subdomains/supporting/notification/notification.module';
@@ -32,6 +33,7 @@ import { RefRewardService } from './reward/services/ref-reward.service';
     NotificationModule,
     PricingModule,
     forwardRef(() => TransactionModule),
+    LiquidityManagementModule,
   ],
   controllers: [RefController, RefRewardController],
   providers: [

src/subdomains/core/referral/referral.module.ts

@@ -1,5 +1,6 @@
 import { Blockchain } from 'src/integration/blockchain/shared/enums/blockchain.enum';
 import { UpdateResult } from 'src/shared/models/entity';
+import { LiquidityManagementPipeline } from 'src/subdomains/core/liquidity-management/entities/liquidity-management-pipeline.entity';
 import { UserData } from 'src/subdomains/generic/user/models/user-data/user-data.entity';
 import { User } from 'src/subdomains/generic/user/models/user/user.entity';
 import { Transaction } from 'src/subdomains/supporting/payment/entities/transaction.entity';
@@ -40,6 +41,9 @@ export class RefReward extends Reward {
   @JoinColumn()
   sourceTransaction?: Transaction;
 
+  @ManyToOne(() => LiquidityManagementPipeline, { nullable: true })
+  liquidityPipeline?: LiquidityManagementPipeline;
+
   //*** FACTORY METHODS ***//
 
   readyToPayout(outputAmount: number): UpdateResult<RefReward> {